home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
HPAVC
/
HPAVC CD-ROM.iso
/
MVUPDAT3.ZIP
/
MACRO_AV.ZIP
/
MACRO001.TXT
< prev
next >
Wrap
Text File
|
1995-11-26
|
12KB
|
256 lines
SR News: Macro Viruses
Concept is spreading in the wild.
Concept (AKA "Prank Macro",WinWord.Concept, and WordMacro.Concept) is a very
recent virus (just discovered in August of 1995) which does some things
that many people thought were impossible. Concept was been
getting considerable publicity including a recent article in the Wall
Street Journal. This virus has been confirmed to be spreading in the
wild. (We have had reports from all over the world.) This virus
spreads via MS Word documents. Even if you don't use MS Word, please
read on; this type of virus is a threat to everyone. I'll explain
exactly how the virus works, how to detect it, and how to remove it
(without using an anti-virus product).
THE FIRST MULTI-PLATFORM VIRUS?
Concept can infect any computer that uses MS Word 6.0 (or later
release). Since there is also a version of MS Word for Apple Macintosh
computers as well as PCs, this virus will spread to (or from) a
Macintosh if an infected document is exchanged.
If you define a "platform" as being a type of computer, then yes, this
is the first multi-platform virus. On the other hand, it's important to
recognize this is a VERY limited virus. It will only spread to computers
running MS Word. Actually it's more limited than that; it will only
spread to computers using English language versions of MS Word 6.0. It
will not spread to German, French, Spanish, or Russian versions of MS
Word.
A VIRUS THAT BREAKS ALL THE RULES?
If you take a quick look at this virus, it seems to break the rules for
viruses. Concept infects MS Word documents. Simply opening
an infected document causes the virus to infect your PC. I mentioned
previously that viruses infect only executable programs. It seems a
contradiction that a virus could infect documents. I also stated that to
become infected by a virus you must execute an infected program. Both
these statements still hold true. To see how this is possible, let's
take a close look at how Concept works.
THE TRICKS USED BY A NEW VIRUS:
Concept was written using the "Macro" capability built into MS
Word. Actually it is somewhat of a misnomer to call this just a macro
capability since it uses a full programming language called Word Basic that
MicroSoft provides with each copy of Word. The virus was written
in Word Basic. But MS Word documents can't contain macros so how does
the virus attach itself to documents? It does this by creating a "template"
rather than a document. Templates are special files supported by MS
word that are used as a pattern for new documents. Templates, unlike
documents can contain macros. Concept causes infected
documents to be saved as templates but with the ".DOC" extension
normally associated with documents. After this happens,
the original document no longer exists as a document but rather as
a template with a ".DOC" extension. Templates normally have ".DOT"
extensions so the fact that the document has been converted to a template
is not at all obvious. The virus consists of the macros that are
stored inside of the template. But what causes the virus macros
to be executed in the first place?
AUTOMATIC VIRUS EXECUTION:
MS Word provides the capability to automatically execute a macro (in
this case a Word Basic program) when you open a new template. The infected
templates contain such an AutoOpen macro; this is how the virus code (in
the form of a Word Basic macro program) is executed when you open an
infected document.
This makes the virus very deceptive. Few users of MS Word realize
that every time they open what they think is a document, they
could be executing a viral program. This exposure is not unique to
MS Word but it is also present in other environments that support macro
languages such as MS Excel, Lotus 1-2-3, and Quatro Pro.
HOW CONCEPT SPREADS:
Concept creates a "FileSaveAs" macro. This is the code
that executes when you select "File Save As" from the MS Word File
menu. After opening an infected document, any use of "File Save As"
will result in the document being saved as an infected template with
the standard ".DOC" extension normally associated with documents.
Since documents and templates are handled almost identically by MS
Word, the user is not aware that anything unusual has happened when
document is converted to an infected template by the "FileSaveAs" macro.
THE SAGA CONTINUES--EVEN MORE VIRUS TRICKS:
Another interesting aspect of this virus is that once you open an
infected document, the MS Word environment itself becomes infected.
This means that if you restart MS Word with no files open, you will
already be infected; all files saved with "File Save As" will be
infected templates. The virus accomplishes this by modifying the
"NORMAL.DOT" file. This file contains the global macros used by MS
Word. Essentially this makes the virus' macros always present (and
active) in the MS Word environment.
IS IT REALLY A VIRUS?:
Microsoft is calling this "Prank Macro" and not referring to it as
a virus. Does this really qualify as a virus? Yes, unfortunately it
does. When you open an infected document (actually a template), you
automatically execute the virus code. This code modifies the MS
Word environment so that all future documents saved using "File Save As"
will be infected templates. This transfers the infection from one host
document to another and is actually spreading in the wild.
THE FRIENDLY VIRUS?:
This virus is fortunately VERY easy to spot. When you open an infected
file for the first time, you will see a box appear containing the number
"1" and nothing else. This apparently was intended by the author of the
virus. The virus does not have a destructive payload but it creates a
macro called "Payload" that could easily be modified to do something
destructive. Several quickie removers leave the "Payload" macro in
place since the presence of this macro will prevent reinfection by
the virus. The virus checks for the presence of a macro called
"Payload" and will not infect if it sees a macro called "Payload"
already there. The virus also adds two other macros to the global macro
pool: "AAAZA0" and "AAAZFS". These macros are very easy to spot and
provide a quick way to check if you are infected. In MS Word, simply
click on "Tools" and then "Macros" and check if these macros are listed.
Beyond spreading, this virus does no real damage. The same may not be
true for future viruses of this type. This virus is VERY easily
modified (even by a non-programmer) and we expect to soon see new
variants that may not be so easy to spot.
HOW TO REMOVE THIS VIRUS:
You could get one of the few anti-virus products that have been updated
to detect and remove this virus (we have produced a prerelease upgrade
to Integrity Master that detects this virus and is available for
download from our support sites.) or you start MS Word and check for
the "AAAZA0" and "AAAZFS" macros. If you see them, you are infected,
if not, you are clean and don't need to check your existing documents.
If you are infected, open all suspect files including
NORMAL.DOT and delete the macros added by the virus. To do this,
click on "Tools", then "Macros" and then delete the following
macros "AAAZAO", "AAAZFS", "AutoOpen", "FileSaveAs". There is
also a macro called "Payload" that you can delete but leaving this
macro in place will prevent reinfection by this virus.
THE FUTURE THREAT:
Concept is fairly easy to deal with. Other viruses of this
type will not be so easy. If you don't use MS Word you may think
you are safe but any language that supports a similar macro language is
vulnerable to a virus of this type. MS Excel, Lotus 1-2-3, and Quatro
Pro contain languages which would allow writing of viruses that
could spread in these environments. It's important to understand
that such viruses would spread only within those specific
environments rather than universally (the way existing executable
and boot sector viruses spread).
We now have additional viruses utilizing the macro capability. A recent
virus (but not in the wild yet) is WordMacro.Nuclear (AKA WordMacro.Alert).
This virus does not announce it's presence with a dialog box. Furthermore this
virus drops a normal file infecting virus called Ph33r. The Ph33r virus
is memory resident and infects .COM and .EXE files.
You can spot the Nuclear virus since it contains the macros:
AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault,
InsertPayload, DropSuriv, FileExit, and Payload.
If the system time is between 5PM and 6PM the macros will drop the Ph33r
virus.
Nuclear will occasionally append the following text when
printing documents:
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!
On April 5th of any year, the virus deletes files IO.SYS and COMMAND.COM.
PROTECTION AGAINST FUTURE MACRO VIRUSES.
There are steps you can take now to protect yourself against future
macro viruses similar to Concept.
If you click on "Options" under "Save" you can ask MS Word to get
your approval before modifying NORMAL.DOT. This will disable one
of the tricks used by Concept and likely used in future
viruses of this type.
It should be obvious to you that the reason this virus works is
that it executes without your knowledge in the "AutoOpen" macro.
Turning this off would eliminate this type of attack and the MS
Word documentation provides a way to do this. Just start MS Word
with the command:
winword.exe /mDisableAutoMacros
This supposedly disables all auto macros. UNFORTUNATELY IT DOESN'T
WORK! I assume MicroSoft will soon fix this and we can use the
above option.
A technique which does work is to enter the following macro.
Click on "Tools" and then "Macros" and create a new macro
called "autoexec". (This macro will automatically execute
every time you start MS Word.) Enter the following text as your
macro (it's a short Word Basic program):
SUB MAIN
DisableAutoMacros 1
MSGBox "Automatic Macro Execution is now OFF",-1
END SUB
Every time you now start up Word, it will turn off Automatic Macros
effectively eliminating a viral attack using automatic execution
macros
Integrity Master and other anti-virus products are being updated to
provide additional protection against this type of virus so it's
helpful to keep your protection up-to-date. We have released
a special prerelease update (2.60a) to Integrity Master to detect this
virus by name. This update is available on CompuServe as file
I-MUPD.ZIP (In the Stiller library, #6) and from our primary support
BBS:
First time callers can download and get support for Integrity Master
from Wingit! Call 904-386-8693 for 9600 to 28.8kbps
and HST modems or 904-385-0449 (for all but HST). For really fast
access, you can log on as user: "Integrity Master" (without the
quotes) and you will be offered the download of Integrity Master. The
update is contained in file I_MUP26.ZIP.
All later updates will, of course, detect
these viruses also.
Macro Viruses in perspective
It's important to realize that Concept is easy to recognize and
easy to remove if you do get infected. This virus is no cause for alarm.
There is some reason for concern regarding future viruses using the
techniques used by this virus. Make sure your anti-virus protection
is prepared to handle this new threat.